This is my first post, so apologies if I've ended up in the wrong spot!

I'm relatively new to information security, having worked in the area for about 2 years. I spent my first year and a half working for a large bank in threat and vulnerability management, mainly focusing on data in motion and data at rest. I ended that spell getting involved heavily in metrics, which led me to where I am now. I work in IT Risk Management at my current company and have been tasked with developing a metrics program for info sec. So far its going well, and I hope to use this as a platform to get myself into more of a management role relatively soon.

My educational background is a BA in History, MS in International Trade / Economics, and I'm just a couple of classes short of my MBA. My goal is to end up at the CISO or CIO level.

Now, for my real question, what certs should I be working towards right now? I know the CISSP is where I really need to be, but I'm still 2 years short on the experience required to get it. It's been suggested that I look at the GSEC, but I wasn't sure. Would appreciate all advice and feedback!

you can also consider the CISM since you are looking to get into management. GSEC is great if you are looking to get a little bit of technical knowledge on all platforms.

How long have you been in IT? The requirements state 5 years in at least two of the 10 domains. Also you have an alternative of becoming an associate by passing the exam and then you have 6 years to get the experience. You also might want to check out some of the SANS management courses.

Thanks for the comment. I didn't realize that the CISM let you have 6 years to get the experience. That may be the route I take and just make sure I get myself into a good management position in the next couple of years.

I definitely want to focus more on the management side of things. I enjoy the technical stuff, but I'm much better at managing and doing the strategic stuff.

I've only been in IT for 2 years when judging by cert criteria. I've done it on the side my whole life, and did help desk work during high school at night. I was also a network admin after high school, but that was 12 years ago so won't count.

You should go in the order I listed. CISSP carries the most weight out of all of them, so if you can only do one for the foreseeable future, do that one.

And yes, it's the same. I believe you have six years from the day you pass to meet the five-year experience requirement. You can also waive a year with a qualifying cert or degree. If you don't have either, you could knock out Security+ quickly.

Just hit up ISACA and (ISC)2's websites and review the requirements; it's pretty straight-forward.